Insurers bank on data breach laws

Insurance providers have forecast a growing demand for cyber insurance products in Australia as the government moves to crack down on data breaches.

To date, cyber insurance products – covering breaches of privacy law, data loss and DDoS attacks – have attracted more than $500 million a year in premiums worldwide.

But 95 percent of the cyber insurance market is US-based, according to Ian Pollard, Asia Pacific vice president of insurer Chartis.

Chartis last week launched its cyber insurance product in Australia after 10 years in the US, to address growing awareness of cyber security risks and what Pollard described as a “convergence of legislation around the world”.

“Obviously, information is global; it’s on the world wide web and therefore [organisations] are exposed to international legislation,” he said.

“Boards and CEOs in Australia need to recognise that intentional or unintentional cyber breach can have serious financial, operational, legal and reputational consequences.”

Despite existing products from the likes of Chubb, Zurich and Macquarie Underwriting, Pollard said the local cyber insurance market was largely untapped.

That could change as Attorney-General Nicola Roxon moves to introduce laws forcing organisations to notify customers any time personal data falls into the wrong hands.

"Mandatory notification would definitely transform the landscape of the marketplace for cyber insurance in Australia,” Stephen Bonnington, Zurich Financial Services’ head of financial lines said.

Bonnington pointed to a 2011 Symantec report that found significant data breaches cost Australian organisations about $2 million per breach.

The Attorney-General’s Department this month indicated that organisations could face costs of more than $174 per breached record under a mandatory notification regime.

Bonnington said Zurich’s cyber insurance product had attracted “a large number of queries” from the finance and retail sectors since its introduction late last year.

"We have sold a number of these policies, but we're anticipating an exponential growth in our portfolio,” Bonnington said, citing a Zurich survey that found almost two-thirds of global businesses uninsured against cybercrime.

“Despite the low levels of insurance cover, more than half of [surveyed businesses] conceded that information security and cybercrime risks was either an ‘extremely serious’ or ‘serious’ threat to their business.

“I think we are going to see a much greater transfer from 'concern' to 'action' on this.”

Ken Goldstein, US-based vice president of Chubb Insurance, said the advent of mandatory data breach notification laws in Australia “could spark an interest” in its local product, which was introduced in April 2010.

Pollard expected Chartis’ product to appeal to the finance, education, medical, travel and retail sectors, with retailers especially keen to protect data collected for their loyalty card schemes.